APF, Iptables, hackers and some random thoughts

So I logged in yesterday to a server recently handed over to me. Upon login, I found the following report of hackers trying to break-in using brute force attacks.

Username Failures Maximum Latest
root 16640 0 Thu Feb 2 -0600 on 209.160.64.
bin 24 0 Thu Feb 2 -0600 on 83-103-110-
daemon 68 0 Thu Feb 2 -0600 on 206.40.148.
adm 94 0 Thu Feb 2 -0600 2006 on ssl.ctssg.c
lp 58 0 Thu Feb 2 -0600 2006 on 83-103-110-
sync 20 0 Thu Feb 2 -0600 2006 on 83-103-110-
shutdown 20 0 Thu Feb 2 -0600 2006 on 83-103-110-
halt 20 0 Thu Feb 2 -0600 2006 on 83-103-110-
mail 68 0 Thu Feb 2 -0600 2006 on 59.3.116.92
news 87 0 Thu Feb 2 -0600 2006 on 125.251.123
uucp 18 0 Thu Feb 2 -0600 2006 on 83-103-110-
operator 23 0 Thu Feb 2 -0600 2006 on 83-103-110-
games 73 0 Thu Feb 2 -0600 2006 on 125.251.123
gopher 12 0 Thu Feb 2 -0600 2006 on 192.38.8.20
ftp 334 0 Thu Feb 2 -0600 2006 on 211.154.205
squid 55 0 Thu Feb 2 -0600 2006 on 219.84.168.
named 99 0 Thu Feb 2 -0600 2006 on 125.251.123
mysql 470 0 Thu Feb 2 -0600 2006 on 211.154.205
rpcuser 15 0 Thu Feb 2 -0600 2006 on 220.80.132.
rpc 12 0 Thu Feb 2 -0600 2006 on 192.38.8.20
apache 260 0 Thu Feb 2 -0600 2006 on 83.228.113.

As if these idiotic hackers (and spammers) aren't enough to "boil your blood" as Ronald says it, the firewall on my sever won't let me connect to another server of mine.

Since yesterday, I have been trying to troubleshoot a faulty APF/iptables configuration on one of my servers. The configuration was setup by a colleague of mine and nonetheless, it brought more headaches than anything I could've imagined (Sorry man, but you gotta pay more attention to rules when adding them).

The problem was that though I could ping my server A from server B, I couldn't connect to it using SSH nor using MySQL. I had explicitily allowed connections from server B and had added server A to hosts.allow file, to no avail.

After more than 16 hours of pulling my hair with the old firewall configurations, (with more than 2000 rules), I finally decided that it was time to try upgrading APF to the most recent version.

Here are some of the helpful commands for reference:

List iptable rules

iptables --list

List IP addresses and port numbers in numeric format:

iptables --list -n

IP tables help refernce

iptables -h

View current iptables rules

cat /etc/sysconfig/iptables | less

View current APF rules ( I hate that the output is shown in pico instead of vi/vim)

apf --list

To fix, I upgraded apf and edited hosts.allow

sshd, imapd, mysqld:XXX.XX.XXX.XXX.86

Once again added the server to /etc/apf/allow_hosts.rules by allowing it explicitly

apf -a XXX.XX.XXX.XXX.86

and using IPTables (if you have no firewall)

iptables -A INPUT -p all -s XXX.XXX.XXX.XXX.86 -j ACCEPT

then reloaded APF and iptables.

To block an IP explicitly using APF, you can use (hacker's address):

/etc/apf/apf -d XX.141.48.33

The lesson I learned is that its much better to let go of your old firewall and use a new one if the current configuration (set up by someone else) is not working.

If you use Firefox and still don't have Jennifer Madden's visual extension installed, do so now as I highly recommend it.

Jay is talking about holding a regional meeting of MySQL users in Columbus, OH. I wish they would come near Atlanta, GA or Greenville, SC soon so I could get to meet all the cool folks.

I really liked Stewart's comments on having an integrated place for comments and documentation with a nice interface. May be if I get time, I will jump on the idea.

Mike has made available Sakila Schema 0.3 which can be downloaded here. Mike, your hard work on the documentation and guiding the community is greatly appreciated.

What a day indeed!

Frank
P.S. If anyone wants to brainstorm on setting up a next generation spam and hacker intrusion detection, blocking and reporting system with MySQL, I am all ears.

Resources: hosts.allow, SSH for TCP wrappers, RHCE Security Guide, IPTables tutorial